Knowledge Base

TLS, Certificates, and Service Identity

Treat encryption, certificate validation, and backend trust as separate service decisions.

Why it matters

TLS protects a connection only when the client and server negotiate a suitable protocol and the service identity is validated as intended. A server certificate, client certificate, chain, root or intermediate CA, hostname, key usage, and extended key usage each answer different questions.

Core concepts

Subject alternative names support hostname validation. Expiration, revocation, TLS versions, cipher suites, SNI, mutual TLS, and certificate pinning have separate operational effects. A load balancer may terminate TLS and re-encrypt to a backend; the backend certificate and validation policy still deserve review.

Safe validation workflow

  1. Record hostname, endpoint, expected service owner, certificate subject alternative names, issuer, chain, and expiry.
  2. Confirm client time synchronization and the intended trust store.
  3. Check the negotiated protocol and whether an intermediate certificate is delivered.
  4. For a rollout, test representative clients and backend paths before removing the previous certificate.

Troubleshooting and renewal checklist

  • Does the name match the certificate SAN rather than only a display label?
  • Is an intermediate missing, expired, or untrusted by the relevant client?
  • Does SNI select the expected certificate at a shared endpoint?
  • Have renewal, rollback, monitoring, and certificate ownership been scheduled?

Common mistakes

Do not permanently disable certificate validation to restore service. An unexpired certificate is not automatically trusted, and an encrypted connection does not prove the intended service identity when hostname or chain validation fails.

Fictional example

A mobile client reports a trust error after a certificate renewal. The service certificate is current, but the load balancer omits a new intermediate. The team validates the full chain with representative clients and retains the previous path as a bounded rollback option.

Related Vuln Signal content

Use TLS and Certificate inspection, DNS inspection, Website and Domain Security Check, and Network Change Validation.